|Main Archive Page > Month Archives > syslog-ng-users archives|
On 09/24/2010 03:34 PM, Martin Holste wrote:
> My votes:
>> - many times there is just a question mark instead of the username.
>> Should it still be stored in a variable (useracct.username) or only for
>> the Logout lines, where it actually might get a useful value?
> I would vote not to store the question mark since I think the ? is
> equivalent to NULL, which is what would get logically stored anyway.
>> - the "New connection" line has the same info (the IP address) twice.
>> How should it be handled?
> I'm not seeing the IP twice in the examples you provided.
It was broken into two lines due to automatic line breaks, but the next
is a single log line, where the remote IP address (192.168.2.142)
Sep 24 13:52:42 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
> If it is
> indeed there twice, I guess the question is what the tag name is for
> both. If you weren't planning on having a tag for one of the two
> occurrences, then I would say skip that one since it wouldn't make
> sense without a tag name.
As the address/fqdn is always the same here, belonging to the same
variable, useracct.device. So, storing it once is enough. Then the first
appearance could be discarded with at @QSTRING::@@)@ and the second one
stored with an @ANYSTRING:useracct.device@
>> - how should Anonymous login be handled?
>> @QSTRING:useracct.username: @
>> <value name="usracct.username">Anonymous</value>
> I think "Anonymous" should definitely get logged the same as any other
> user name, since you would want to see that on reports.
It would be stored both ways, I just would like to know, which is more
elegand, less resource hungry, etc.
> thought would be to maybe switch it to the IP address, but I don't see
> how you would do that across log lines.
Well, that would require some session tracking, but even then we are out
of luck, as session information is missing from the logs.
-- Peter Czanik (CzP) <firstname.lastname@example.org> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html